In a newly released annual report, M-Trends 2025, Google-owned cybersecurity firm Mandiant has highlighted a significant escalation in the sophistication of cyber threat actors, particularly those associated with China-nexus groups.
According to the report, these groups have demonstrated advanced capabilities in developing customized malware ecosystems, rapidly identifying and leveraging zero-day vulnerabilities in both security appliances and infrastructure, and orchestrating proxy networks akin to botnets.
Their tactics often target edge devices and platforms that lack traditional endpoint detection and response capabilities while employing tailored obfuscators to evade detection and prolong their presence within compromised environments.
Opportunistic Tactics and Evolving Initial Access Vectors
Mandiant’s threat intelligence underscores, however, that not all high-impact breaches require technical complexity.
The rise in productivity-focused cybercrime is exemplified by opportunistic exploitation, with attackers increasingly leveraging credentials harvested via infostealer malware.
The report observes a notable surge in credential-based attacks: in 2024, stolen credentials accounted for 16% of initial infection vectors, up from previous years and now ranking as the second most common method after exploitation of known vulnerabilities, which comprised 33% of intrusions.
This trend aligns with a broader pattern of attackers targeting cloud migration exposures and unsecured data repositories to obtain sensitive information and escalate privileges.
Mandiant’s analysis, derived from over 450,000 hours of incident response, reveals that 55% of tracked threat groups in 2024 were financially motivated a figure that has risen steadily while 8% pursued espionage objectives.
Sectors at greatest risk include financial services (17.4%), business and professional services (11.1%), high technology (10.6%), government (9.5%), and healthcare (9.3%).
Another notable trend is the increase in global median dwell time. This key metric, which measures the interval between initial compromise and detection, climbed to 11 days in 2024 compared to 10 days in 2023.
Dwell time was highest (26 days) when incidents were discovered by external entities, while cases internally detected by organizations reported a median of 10 days.
Threat Landscape Expands to Cloud and Web3
M-Trends 2025 delves into new adversary tactics, including North Korean actors posing as remote IT contractors under fake identities to generate revenue, and a marked intensification of cyber operations by Iran-nexus groups, particularly against Israeli targets.
The report also documents increased targeting of cloud-based systems that serve as centralized points of authority such as single sign-on portals which, if compromised, can facilitate wide-scale internal access.
Additionally, attackers are increasingly focusing on Web3 technologies, including cryptocurrencies and blockchains, to enable theft, money laundering, and the financing of illicit activities.
To fortify against these threats, Mandiant recommends a multi-layered security strategy prioritizing core cyber hygiene: rigorous vulnerability management, least privilege access, and robust system hardening measures.
Organizations are urged to implement FIDO2-compliant multi-factor authentication across all accounts, especially privileged ones, and to invest in advanced detection solutions and incident response planning.
Enhanced monitoring and threat hunting practices are essential to minimizing dwell time, as is the regular auditing of cloud assets for misconfigurations and vulnerabilities.
Finally, staying current with threat intelligence and adapting security policies accordingly are paramount to mitigating the risks posed by rapidly evolving threat actors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
